1. Field of the Invention
This invention relates to methods and systems to maintain application data secure and authentication token for use therein.
2. Background Art
Unfortunately, authentication between people and their computer devices is both infrequent and persistent. Should a device fall into the wrong hands, the imposter has the full rights of the legitimate user.
Authentication requires that a user supply some proof of identity—via password, smartcard, or biometric—to a device. Unfortunately, it is infeasible to ask users to provide authentication for each request made of a device. Imagine a system that requires the user to manually compute a message authentication code for each command. The authenticity of each request can be checked, but the system becomes unusable. Instead, users authenticate infrequently to devices. User authentication is assumed to hold until it is explicitly revoked, though some systems further limit its duration to hours or days. Regardless, in this model authentication is persistent.
Persistent authentication creates tension between security and usability. To maximize security, a device must constantly reauthenticate its user. To be usable, authentication must be long-lived.
This tension has been resolved with a new model, called “transient authentication,” as described in the above-noted pending U.S. patent application. In this model, a user wears a small token, equipped with a short-range wireless link and modest computational resources. This token is able to authenticate constantly on the user's behalf. It also acts as a proximity cue to applications and services; if the token does not respond to an authentication request, the device can take steps to secure itself.
At first glance, transient authentication merely seems to shift the problem of authentication to the token. However, mobile and ubiquitous devices are not physically bound to any particular user; either they are carried or they are part of the surrounding infrastructure. As long as the token can be unobtrusively worn, it affords a greater degree of physical security.
Transient authentication has been applied to cryptographic file systems, as described in the above-noted pending U.S. application, and could be extended to protect swap space, as described in N. Provos, “Encrypting Virtual Memory,” PROCEEDINGS OF THE NINTH USENIX SECURITY SYMPOSIUM, pp. 35-44, Denver, Colo., August 2000. These provide a good first line of defense, protecting persistent storage from physical possession attacks. If the machine has been shutdown, hibernated, or has run out of power, this is sufficient to protect the machine from attack.
Unfortunately, they do not protect applications on machines that are running or have been suspended. An application that reads data from a cryptographic file system—or receives data from a secure network connection—holds that data in memory without protection. Mobile devices typically suspend themselves after an idle period or in response to a user closing its lid. If the device is suspended, or running, the contents of memory may be inspected through operating system interfaces or through physically probing the memory bus. An attacker can recover passwords and sensitive data such as credit card numbers, or patient records.
One solution is to require reauthentication after suspension or an idle period. This is an insufficient solution for two reasons. First, after a suspension or time-out all sensitive, in-memory data must be flushed or protected. No work has addressed this problem. Second, time-outs do not address the tension in usability versus security.
The patent document to Jones, et al., WO 95/16238, provides for a secure computer memory card. Described within is a method and apparatus for password protecting a computer. An integrated circuit incorporated within the computer's memory card may store public and private key values used to encrypt and decrypt data stored on the memory card or elsewhere on the host computer.
The U.S. Pat. No. 6,070,240, to Xydis, provides for a method of controlling a computer system comprising the steps of: disposing a computer in an operating space and placing the computer in a lockout mode to prevent operation of the computer software by a user. It also provides for a transponder that transmits an authorized user code in the operating spaced and identifying the user owning the transponder. The authorized user is then free to operate the computer software while the sensing for the presence of a transponder transmitting an authorized user code in the operating space is continued.
The U.S. Pat. No. 6,088,450, to Davis et al., provides for a wireless authentication system to control an operating state of a computer based on the proximity of an authorized user to the computer. The wireless authentication system comprises a security device implemented within the computer and a user authentication token (“token”) in possession of the authorized user. A Challenge/Response protocol is configured between the security device and the token. The first successful Challenge/Response message exchange between the security device and the token places the node in an operational state allowing the authorized user access to the contents and/or networked resources of the node. Later Challenge/Response message exchanges are set to occur periodically to check whether the authorized user possessing the token has left the node unattended thereby causing the node to be placed in a non-operational state.
The patent to Jones, et al., U.S. Pat. No. 5,623,637, provides for an encrypted data storage card including smartcard integrated circuit for storing an access password and encryption keys. Disclosed within is a method and apparatus for storing access passwords, encryption or decryption keys, or digital signatures, in a smart-card integrated circuit interconnected with a data access mechanism (hard drive) which are integral parts of a memory card of a laptop or notebook computer.
The patent to Cyras, et al., U.S. Pat. No. 5,889,866, provides for a method and apparatus for controlling access to detachably connectable computer devices using an encrypted password. Of interest is a method and apparatus for controlling access to a laptop or notebook computer using an encrypted password. The laptop computer includes a utility software that prompts the user for password assignment, password entry, etc. Encryption logic encrypts the entered password and stores the encrypted password as the key on the computer. Furthermore, if the encrypted entered password is the same as the key and, thus, the entered password is the same as the assigned password, an enable signal is sent to render the computer operable.
The patent to Rallis, et al., U.S. Pat. No. 6,189,099, provides for a notebook security system (NBS). Disclosed is a multi-level security system for preventing unauthorized use of a notebook, or laptop computer. A validation record stored on the computer's hard disk contains an encrypted key device serial number and an encrypted hard disk serial number. A program that is automatically invoked at computer power-up, or reset, implements the user validation procedure. The procedure permits entry past a first security level if the key device serial number matches the unencrypted number in the validation record. If the first-level validation is successful, the procedure then uses the encryption key to decrypt the hard disk serial number found in the stored validation record. The procedure permits entry past the second security level only if the validation record is properly decrypted and the actual hard disk serial number matches the decrypted number. A failure at any step in the user-validation procedure will immediately power down the computer, thereby rendering it useless to a thief not possessing the required key device.
The U.S. Pat. No. 5,757,916, to MacDoran et al., provides for a method and apparatus for authenticating the identity of a remote user entity where the identity of such user entity is authenticated by use of information specific to geodetic location of the user entity but that changes constantly, making “spoofing” the host device extremely difficult. The invention is preferably implemented utilizing satellite positioning technology to produce the identifying information.
The U.S. Pat. Nos. 5,544,321 and 5,611,050, to Theimer, provide for a method for superimposing prespecified locational, environmental, and contextual controls on user interactions, including interactions of mobile users, with computational resources. A system is described for electronically monitoring contextual information concerning users and machines, including state and locational information including proximity. Interaction policies, including user specified interaction policies, may be registered on an identifiable address path. Methods are described for detecting, selecting and controlling computer-controlled devices, based on the proximity of the device to the user, the current context of the user, the location of other nearby users and devices, and the current state of the devices. Temporary transfer of control, including exclusive control, of particular computers and computer-controlled devices to individual users based on the context and environment in proximity to those computing devices is also described.
The following U.S. patents are also generally related to the present invention: U.S. Pat. Nos. 5,012,514; 5,091,939; 5,226,080; 5,375,243; 5,657,470; and 5,836,010.
As previously mentioned, tokens are small devices providing authentication information for the user. A user must physically possess the token to authenticate to a local or remote machine. Examples of hardware tokens include SecureID, USB tokens, and smartcards. SecureIDs require the user to read a password from the token and type it into the device they are authenticating to. They utilize one-time passwords solving the problems that traditional password systems have. USB tokens and smartcards are inserted into the device and either transfer authentication information to the machine or must remain attached for continued operation.
Unfortunately, tokens suffer from a fundamental weakness in reauthentication. The user must frequently reauthenticate, or manually logout to ensure that the device has not been stolen while authenticated, thus caching credentials. Constant reauthentication can be accomplished by attaching the token to the device. Unfortunately, this encourages a user to leave the token with the device, providing little protection.
Several efforts have used proximity-based hardware tokens to detect the presence, or absence, of an authorized user. One person proposes disabling hardware access to the keyboard and mouse of a machine when the trusted user is away. A commercial alternative, Xy-Loc, has a software-based guard on the protected machine that refuses access when the token is absent. These systems approximate transient authentication, but do not adhere to its first principle, as described hereinbelow. The capability to act in these systems does not reside on the token; the token is merely advisory. Since the computing system is still capable of carrying out a sensitive operation, it could be forced to do so. Sensitive operations may be relegated to a secure coprocessor, rendering these physical attacks more difficult.
Rather than use hardware tokens, one could instead use biometrics. However, biometric authentication schemes intrude on users in two ways. The first is the false-negative rate: the chance of rejecting a valid user. For face recognition, this ranges between 10% and 40%, depending on the amount of time between training and using the recognition system. For fingerprints, the false-negative rate can be as high as 44%, depending on the subject. The second intrusion stems from physical constraints. For example, a user must touch a special reader to validate his fingerprint. Such burdens encourage users to disable or work around biometric protection. A notable exception is iris recognition. It can have a low false-negative rate, and can be performed unobtrusively. However, doing so requires three cameras—an expensive and bulky proposition for a laptop.
For transient authentication to succeed, a computing device must forget sensitive information, typically through encryption, as described in the above-noted parent application. Thereafter, only the token can provide the key to recover this information. Such techniques have also been applied to revocable backups and secure execution of batch jobs, and are sometimes referred to as non-monotonic protocols. It can be difficult to completely erase previously stored values, whether in memory or on disk. However, given a small amount of easily erasable media, one can solve this problem for a much larger, more persistent store.
ZIA, a cryptographic file system, uses transient authentication for file data protection, as described in the above-noted parent application. ZIA imposes overheads of less than 10% for representative workloads, and imposes no new usability burdens. Unfortunately, ZIA does not protect data once an application has read it. Application data that is paged out can be protected, leaving only in-memory state vulnerable to attack.
As described in F. Stajano and R. Anderson, “The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks,” SECURITY PROTOCOLS, 7TH INTERNATIONAL WORKSHOP PROCEEDINGS, Lecture Notes in Computer Science, 1999, the Resurrecting Duckling security policy proposes a set of policies for binding wireless devices to an owner. Laptops and tokens are bound by a user action, and trusted until a timeout period. In the duckling parlance, the binding process is “imprinting” and the authentication timeout causes token “assassination.”
As described in B. A. Miller and C. Bisdikian, “Bluetooth Revealed,” Prentice Hall, Upper Saddle River, N.J. 2001, Bluetooth uses similar techniques to “bond” two devices in a trust relationship and bonds can be removed manually.
The following documents are also related to the present application: U.S. Pat. No. 6,189,105; WO 01/20463; EP 0 447 386; EP 1 223 495; and Zadok I. Badulescu and A. Shender, “Cryptfs: A Stackable Vnode Level Encryption File System,” http://www.cs.columbia.edu/{ezk/research/cryptfs/cryptfs.html, Online! 17 Feb. 1999, pp. 1-25.
In summary, mobile and ubiquitous devices are susceptible to loss or theft, leaving the state of running applications vulnerable to data exposure. Current methods of authentication do not solve this problem since authentication is both infrequent and persistent.